1) December 1, 2017 is the earliest credible date that any RFP respondent can provide the Managed CA solution proposed by Google, assuming a start date of August 1, 2017. Only one RFP respondent initially proposed a schedule targeting August 8, 2017 (assuming a start date of June 12, 2017). We did not deem this proposal to be credible, however, based on the lack of specificity around our RFP evaluation criteria, as compared to all other RFP responses which provided detailed responses to all aspects of the RFP, and we have received no subsequent information from this bidder to increase our confidence.
2) We are using several selection criteria for evaluating RFP responses, including the depth of plan to address key technical integration and operational requirements, the timeframe to execute, the ability to handle the scope, volume, language, and customer support requirements both for ongoing issuance and for one-time replacement of certificates issued prior to June 1, 2016, compliance program and posture, and the ability to meet uptime, interface performance, and other SLAs. Certain RFP respondents have distinguished themselves based on the quality and depth of their integration planning assumptions, requirements and activities, which have directly influenced the dates we have proposed for the SubCA proposal. 3) The RFP was first released on May 26, 2017. The first round of bidder responses was first received on June 12, 2017. 4) It is our longstanding policy not to comment on rumors or market speculation. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Wednesday, July 19, 2017 10:25 AM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec Update on SubCA Proposal Hi Steve, Thank you for this update on Symantec's progress. I have a few follow-up questions: 1) Did any of the RFP respondents indicate that they could provide the Managed CA solution in the timeframe originally proposed by Google? (August 8th) Alternatively, is December 1st, 2017 the earliest date that any RFP respondents can achieve? 2) What selection criteria is Symantec using in considering RFP responses? 3) On June 1st, Symantec wrote that "we are in the midst of a rigorous RFP process" (https://www.symantec.com/connect/blogs/symantec-s-response-google-s-subca-proposal). In this mail you wrote that "Last month, we released a Request for Proposal (RFP)". How do you reconcile those? 4) There are currently rumors that Symantec is considering a sale of its CA business (https://www.reuters.com/article/us-symantec-divestiture-idUSKBN19W2WI). Do these timelines reflect that possibility, or should we expect requests to amend this timeline in the event of a change of ownership? Thank you, Alex _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy